Shopify Data Processing Addendum

1. Definitions

(a) “European Data Protection Laws” means European Union Regulation 2016/679 (the “General Data Protection Regulation”), the UK Data Protection Act 2018 (“DPA”), the UK General Data Protection Regulation as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (together with the DPA, the “UK GDPR”), and any relevant law, statute, regulation, rule or other binding instrument which implements the above or otherwise relates to data protection, privacy, data security or the processing of Personal Data in any European member state or the United Kingdom, in each case as applicable and in force, and as amended, consolidated, re-enacted or replaced from time to time.

(b) “Personal Data” shall be interpreted in accordance with European Data Protection Laws and US Data Protection Laws, as applicable, and relating to an identifiable or identified individual who visits or engages in transactions through your store (a “Customer”), which Shopify Processes as a Data Processor or Service Provider (as defined under such laws) in the course of providing you, as a Data Controller or Business (as defined under such laws), with the Services. The term “Personal Data” shall also include “Personal Information” as defined under US Data Protection Laws. Notwithstanding the foregoing sentence, Personal Data does not include information that Shopify processes in the context of services that it provides directly to a consumer, such as through its consumer-facing applications like Shop and Shop Pay.

(c) “US Data Protection Laws” means the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Utah Consumer Privacy Act (“UCPA”) the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”), and other similar comprehensive state privacy laws that place obligations on a Business or Controller in relation to Personal Data (as defined under such laws), and any relevant regulation, rule or other binding instrument which implements such laws, in each case as applicable and in force, and as amended, consolidated, re-enacted or replaced from time to time.

(d) “US Consumer” means an individual that is a “consumer” as defined under US Data Protection Laws.

(e) All other capitalized terms in this Addendum shall have the same definition as in the Agreement.

2. Details of Processing

2.1. The parties agree that Appendix 1 of this Addendum describes the subject matter and details of the processing of Personal Data. Shopify may aggregate, anonymize or deidentify Personal Data and process such data for the purposes set out in Appendix 1 or as otherwise permitted by applicable law. To the extent Shopify receives from you Personal Data that has been Deidentified (as defined in section 5.1 of this Addendum), Shopify will maintain and use the data only in a Deidentified fashion.

3. European Union and United Kingdom

3.1. This section applies only to the extent that Shopify’s Processing of Personal Data is subject to European Data Protection Laws. In this section, “Data Processor”, “Data Controller”, “Data Subject”, “Processing”, “Subprocessor”, and “Supervisory Authority” shall be interpreted in accordance with the European Data Protection Laws.

3.2. You acknowledge that Shopify acts as an independent Data Controller with regards to personal data that it collects from consumers in connection with its consumer-facing applications and services like Shop and Shop Pay.

3.3. Where a Data Subject is located in the European Economic Area or the United Kingdom, that Data Subject’s Personal Data will be Processed by Shopify’s Irish affiliate, Shopify International Ltd (“Shopify EU”). As part of providing the Services, this Personal Data may be transferred to other regions, including to Canada and the United States. Such transfers will be completed in compliance with relevant Data Protection Legislation.

3.4. When Shopify EU Processes Personal Data in the course of providing the Services, Shopify will:

  • 3.4.1. Process the Personal Data as a Data Processor and/or Service Provider, only for the purpose of providing the Services in accordance with documented instructions from you (provided that such instructions are commensurate with the functionalities of the Services), and as may subsequently be agreed to by you. If Shopify EU is required by law to Process the Personal Data for any other purpose, Shopify EU will provide you with prior notice of this requirement, unless Shopify EU is prohibited by law from providing such notice;

  • 3.4.2. notify you if, in Shopify EU’s opinion, your instruction for the Processing of Personal Data infringes applicable European Data Protection Laws;

  • 3.4.3. notify you promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Supervisory Authority relating to Shopify EU’s Processing of the Personal Data;

  • 3.4.4. implement reasonable technical and organizational measures enabling you to execute requests relating to your Customer’s Personal Data that you are obligated to fulfill;

  • 3.4.5. implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;

  • 3.4.6. upon request, provide reasonable information to help you complete your data protection impact assessments and prior consultations with regulatory authorities;

  • 3.4.7. provide you, upon request, with up-to-date attestations, reports or extracts thereof where available from a source charged with auditing Shopify EU’s data protection practices (e.g. external auditors, internal audit, data protection auditors), or suitable certifications, to enable you to assess compliance with the terms of this Addendum;

  • 3.4.8. notify you without undue delay upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data;

  • 3.4.9. ensure that its personnel who access the Personal Data are subject to confidentiality obligations; and

  • 3.4.10. upon termination of the Agreement, Shopify EU will promptly initiate its purge process to delete or anonymize the Personal Data. You may also request, within 60 days of termination, that Shopify return such Personal Data.

3.5. In the course of providing the Services, you acknowledge and hereby grant Shopify EU general written authorisation to use Subprocessors, listed online at: https://help.shopify.com/en//manual/privacy-and-security/privacy/subprocessors (“Subprocessor List”), to Process the Personal Data. Shopify EU’s use of any specific Subprocessor to process the Personal Data must be in compliance with European Data Protection Laws and must be governed by a contract between Shopify EU and Subprocessor that requires comparable protections to this Data Processing Addendum. If Shopify EU appoints a new subprocessor or intends to make changes concerning the addition or replacement of subprocessors, such changes will be made to our Subprocessor List. You will have seven (7) days from the date of the update of our Subprocessor List to object to the change. If you object to the appointment of a Subprocessor you may terminate this agreement in accordance with the Agreement and your Shopify Plus Agreement, if applicable.

3.6. You warrant that you have complied and continue to comply with European Data Protection Laws, in particular, you have obtained any necessary consents or given any necessary notices and otherwise have a legitimate ground to disclose data to Shopify EU and enable the processing of Personal Data by Shopify EU as set out in this Agreement.

4. US Consumers

4.1. This section applies only to the extent that, for purposes of the US Data Protection Laws, you are a Business or Controller and in the course of providing the Services, Shopify processes Personal Data about US Consumers that is subject to US Data Protection Laws. In this section, “Business”, “Business Purpose”, “Commercial Purpose”, “Controller”, “Deidentified”, “Processor”, “Sell”, “Sale”, “Service Provider” shall have the meanings ascribed to them in US Data Protection Laws, and “Share” shall have the meaning ascribed to it in the CCPA, are incorporated herein by reference.

4.2. With respect to such Personal Data, and to the extent required by applicable US Data Protection Laws, Shopify will:

  • 4.2.1. process Personal Data as a Service Provider and/or Processor on your behalf to provide the Services or as otherwise permitted by US Data Protection Laws;

  • 4.2.2. not retain, use or disclose Personal Data outside its direct business relationship with you or for any purpose other than to provide the Services, including retaining, using or disclosing such Personal Data for a Commercial Purpose other than performing the Business Purposes described in the Agreement, or as otherwise permitted by US Data Protection Laws;

  • 4.2.3. not Sell or Share such Personal Data;

  • 4.2.3. not combine Personal Data collected in connection with performing the Services with Personal Data received from another source or collected from its own interactions with the individual, except to perform the Services, with consent or direction, or as otherwise permitted by US Data Protection Laws;

  • 4.2.4. in connection with processing the Personal Data, comply with provisions of the US Data Protection Laws applicable to Service Providers or Processors, including providing the same level of privacy protection required of Businesses or Controllers by the US Data Protection Laws, and notify you if it determines it can no longer meet these obligations. You may, upon receiving such a notice, take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data by Shopify;

  • 4.2.5. only engage subcontractors to process Personal Data on its behalf pursuant to a written contract that requires comparable protections to this Data Processing Addendum. In the course of providing the Services, you acknowledge and hereby grant Shopify general written authorisation to use subcontractors, listed online at: https://help.shopify.com/en//manual/privacy-and-security/privacy/subprocessors (“Subprocessor List”), to Process the Personal Data. Shopify’s use of any specific Subprocessor to process the Personal Data must be in compliance with US Data Protection Laws and must be governed by a contract between Shopify and Subcontractor that requires comparable protections to this Data Processing Addendum. If Shopify appoints a new subcontractor or intends to make changes concerning the addition or replacement of subcontractors, such changes will be made to our Subprocessor List. You will have seven (7) days from the date of the update of our Subprocessor List to object to the change. In the event we do not receive a response from you, the change will be deemed to be accepted. If you object to the appointment of a subcontractor you may terminate this agreement in accordance with the Agreement and your Shopify Plus Agreement, if applicable.

  • 4.2.6. ensure that its personnel who process the Personal Data are subject to confidentiality obligations with respect to such information;

  • 4.2.7. take reasonable and appropriate steps, upon reasonable written notice from you and subject to the confidentiality obligations set out in the Agreement, to assist you with confirming that Shopify’s use of Personal Data is consistent with your obligations under US Data Protection Laws;

  • 4.2.8. Upon request, provide a report of a reasonable assessment of Shopify’s policies and technical and organizational measures in support of its obligations under applicable US Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments; and

  • 4.2.9 upon termination of the Agreement, Shopify will promptly initiate its purge process to delete or Deidentify the Personal Data.You may also request, within 60 days of termination, that Shopify return such Personal Data.

4.3. You represent and warrant that you:

  • 4.3.1. have obtained any necessary consents, rights and authorizations and given any necessary notices to individuals regarding your disclosure of Personal Data to Shopify to enable Shopify’s processing of Personal Data to provide the Services, as required by applicable law;

  • 4.3.2. will not share with Shopify any Personal Data of any individual subject to the US Data Protection Laws who has exercised an opt-out that you have committed to honoring;

  • 4.3.3. will not share with Shopify sensitive data of any US Consumer who has not consented to the processing of their sensitive data;

  • 4.3.4. inform Shopify of any rights requests individuals make to you pursuant to US Data Protection Laws that Shopify must comply with and provide the information necessary for Shopify to comply with the requests; and

  • 4.3.5. be solely liable for your compliance with such laws.

4.4 You and Shopify agree that the existence of this Addendum does not constitute an admission that sharing of Personal Data constitutes a Sale or a Share.

5. General

5.1. In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail, unless such provisions contradict a requirement under applicable law, in which case such requirement shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement. You acknowledge and agree that Shopify may amend this Addendum from time to time by posting the relevant amended and restated Addendum on Shopify’s website, available at https://shopify.com/legal/dpa and such amendments to the Addendum are effective as of the date of posting. Your continued use of the Services after the amended Addendum is posted to Shopify’s website constitutes your agreement to, and acceptance of, the amended Addendum. If you do not agree to any changes to the Addendum, do not continue to use the Service.

5.2. Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties.

5.3. The terms of this Addendum shall be governed by and interpreted in accordance with the laws of the Province of Ontario and the laws of Canada applicable therein, without regard to principles of conflicts of laws. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of the Province of Ontario with respect to any dispute or claim arising out of or in connection with this Addendum.

Appendix 1: Details of Processing

Nature and purpose of processing: To provide and improve the Services under the Shopify Terms of Service and any other terms that this Addendum is incorporated into, provide any related support to Customer, as otherwise permitted under European Data Protection Laws or US Data Protection Laws, as applicable, or as initiated by you from time to time.

Subject Matter, Types of Personal Data and Categories of Data Subjects: Personal Data relating to Customers.

Duration of processing: The term of this Addendum plus the period from the end of the term until deletion of all Customer Personal Data by Shopify in accordance with its obligations under this Addendum.